security

Micro Focus Technical Bootcamp 2018

Micro Focus Technical Bootcamp 2018

What a welcome to Bangkok! A bustling metropolis of 8.2 million people, known for its ornate shrines and vibrant street life, the city hosted myself and my colleagues Jim T and Andrew P for this year’s highly anticipated Micro Focus APJ Technical Bootcamp. Held in the first week of December, it consisted of 13 technical streams covering Application Delivery Management (ADM – my chosen area of interest and what we’ll deep dive here), Security, Information Management and IT Operations Management (ITOM).

Sunday evening saw event attendees converging from all parts of the APJ region and checking into the impressive Hilton Hotel – lucky us! It was fantastic to meet and get to know other techies not just from Australia but India, Singapore, Taiwan, China, Philippines, Malaysia, and of course Thailand.

Micro Focus went above and beyond with the information, demonstrations and labs covered in the span of the time we had, so to summarise the bootcamp in a blog post is much like experiencing a cold night in Bangkok – practically impossible! However, there are six ADM highlights we are excited to share.

 

1. Latest integrations

It’s widely accepted developing, delivering and supporting business applications is growing increasingly complex tool, application and platform-wise. A single business transaction typically requires integration between multiple systems, with release cycles becoming ever shorter (Amazon deploys a new release to production somewhere in their ecosystem every 11.6 seconds!). Customers are demanding better performance from more secure applications with fewer defects. Oh, and they want to consume that app on their chosen device running a particular version of a given operating system, using the browser of their choice that may not be on the latest version. To put this into perspective, it’s been estimated that the number of unique Device/OS/Browser version combinations operating in the world today is in excess of 28,000! That’s a lot of cocktails!

Micro Focus is uniquely positioned to tackle these complexity challenges with a suite of integrated technologies. But not only do they provide ‘best of breed’ solutions covering all aspects of DevOps, they also fully embrace and integrate with a myriad of open source applications. The result is customers can implement the best solution for their needs, using open source tools, licenced applications or a combination. Examples of what that can potentially look like below.

2. ALM Octane – providing full lifecycle management for Agile projects

Main features and what’s new:

  • Single point of insight into your CI system - full integration with CI tools (Jenkins and Bamboo) to drive packaging, building, automated testing and deployment of applications
  • Integration to numerous automated testing tools and platforms – UFT, Selenium, LeanFT, Mobile Center, StormRunner Functional, to name a few
  • Integration with Fortify to execute automated security tests, both static (code scans) and dynamic penetration testing
  • Providing full support for the SAFe methodology while providing full integrating with Jira, a more team-centric tool
  • Provides full audit compliance

 

3. Mobile Center – the single gateway that expands MF products to mobile technology

Mobile Center (MC) can be integrated with UFT allowing functional regression testing against an iOS or Android mobile device. Integrate MC with Loadrunner to execute a performance test or with Fortify to perform a security scan, or even manually test on an actual or virtual mobile device by integrating with Sprinter.

4. UFT (Unified Functional Testing) – the industry leader in functional test automation

UFT remains a core focus for MF. With quarterly releases, MF ensures the product is continually enhanced to keep up with the ever-changing market demands and emerging technologies.

  • Support for over 40 technologies and environments
  • Full cross browser testing coverage
  • Full headless API testing
  • Integration with MF Mobile Center and MF StormRunner Functional, allowing automated tests to be executed against virtually any OS platform, browser or mobile device
  • Integration with Git repositories with powerful code comparison capabilities between current test components and the previous revision. Tests stored in the Git repository can in turn be accessed by Jenkins or Bamboo CI tools to be run as part of a Continuous Integration pipeline through ALM Octane

 

5. LeanFT – moving automated regression testing to the left of your application development lifecycle

LeanFT is a powerful and lightweight functional testing solution built specifically for continuous testing, allowing developers to build and run automated unit regression tests directly from their chosen IDE. Key features include:

  • Integrates with common IDEs (including Visual Studio, Eclipse, IntelliJ, Android Studio)
  • Cross-platform and cross-browser support. Full mobile support (using Mobile Center)
  • Easily create Selenium tests with Lean FT for Selenium
  • CI/CD-ready Docker image to allow execution of tests within containers
  • Built-in Cucumber BDD Template

6. StormRunner Functional – Complete on-demand digital lab in the cloud

SRF provides a lab consisting of multiple browsers running on various Windows, Mac and Linux versions across a selection of resolutions. In addition, iOS and Android devices are available with a selection of browsers. This allows developers and test engineers to automatically execute parallel test cases across multiple platforms, on-demand in the cloud. SRF can be integrated with various MF and open source automated testing tools. Alternatively, you can record and maintain your automated test scripts directly in SRF. SRF tests can also be run from a Bamboo or Jenkins CI pipeline. Lastly, SRF provides comprehensive reporting and defect management with integration into ALM, Octane and Jira.

So what’s new in SRF 1.61?

Conclusion

Micro Focus has truly demonstrated maturity in the ADM space, with an unrivalled breadth and depth of tools simultaneously enabling Continuous Integration and Continuous Delivery of applications, whilst ensuring a level of quality customers can rely on.

  

Find out more

Interested to know more about these new ADM capabilities? Our specialist team is here to help you improve your business application development, delivery and support.

Our team on the case

'Do what you can, with what you have, where you are.' - Theodore Roosevelt.

Reinhardt Moller

Technical Consultant

Length of Time at JDS

9.5 years

Skills

Products: Primary: HPE ALM and UFT, Secondary: HPE BSM and Loadrunner, ServiceNow

Personal: Photography

Workplace Passion

Helping customers build solutions to tackle testing and monitoring challenges

Our Micro Focus stories

Posted by Jillian Hunter in Blog, Micro Focus
Using Splunk to look for Spectre and Meltdown security breaches

Using Splunk to look for Spectre and Meltdown security breaches

Meltdown and Spectre are two security vulnerabilities that are currently impacting millions of businesses all over the world. Since the news broke about the flaw in Intel processor chips that opened the door to once-secure information, companies have been bulking up their system security and implementing patches to prevent a breach.

Want to make sure your system is protected from the recent outbreak of Spectre and Meltdown? One of our Splunk Architects, Andy Erskine, explains one of the ways JDS can leverage Splunk Enterprise Security to check that your environment has been successfully patched.

What are Spectre and Meltdown and what do I need to do?

According to the researchers who discovered the vulnerabilities, Spectre “breaks the isolation between different applications”, which allows attackers to expose data that was previously considered secure. Meltdown “breaks the most fundamental isolation between user applications and the operating system”.

Neither type of attack requires software vulnerabilities to be carried out. Labelled “side channel attacks”, they are not solely based on operating systems as they use side channels to acquire the breached information from the memory location.

The best way to lower the risk of your business’s sensitive information being hacked is to apply the newly created software patches as soon as possible.

Identifying affected systems

Operating system vendors are forgoing regular patch release cycles and publishing operating system patches to address this issue.

Tools such as Nessus/Tenable, Qualys, Tripwire IP360, etc. regularly scan their environments for vulnerabilities such as this and can identify affected systems by looking for the newly released patches.

Each plugin created for the Spectre and Meltdown vulnerabilities will be marked with at least one of the following CVEs:

Spectre:

CVE-2017-5753: bounds check bypass

CVE-2017-5715: branch target injection

Meltdown:

CVE-2017-5754: rogue data cache load

To analyse whether your environment has been successfully patched, you would want to ingest data from these traditional vulnerability management tools and present the data in Splunk Enterprise Security.

Most of these tools have a Splunk app that brings the data in and maps to the Common Information Model. From there, you can use searches that are listed to identify the specific CVEs associated with Spectre and Meltdown.

Once the data is coming into Splunk, we can then create a search to discover and then be proactive and notify on any vulnerable instances found within your environment, and then make them a priority for patching.

Here is an example search that customers using Splunk Enterprise Security can use to identify vulnerable endpoints:

tag=vulnerability (cve=" CVE-2017-5753" OR cve=" CVE-2017-5715" OR cve=" CVE-2017-5754")
| table src cve pluginName first_found last_found last_fixed
| dedup src
| fillnull value=NOT_FIXED last_fixed
| search last_fixed=NOT_FIXED
| stats count as total

Example Dashboard Mock-Up

JDS consultants are experts in IT security and proud partners with Splunk. If you are looking for advice from the experts to implement or enhance Splunk Enterprise Security or any other Splunk solution, get in touch with us today.

Conclusion

To find out more about how JDS can help you with your security needs, contact our team today on 1300 780 432, or email contactus@jds.net.au.

Our team on the case

Work hard, Play hard.

Andy Erskine

Consultant

Length of Time at JDS

2.5 years

Skills

  • The CA Suite of tools, notably CA APM, CA Spectrum, CA Performance Manager
  • Splunk

Workplace Passion

Learning new applications and applying them to today’s problems.

Our Splunk stories

Posted by Amy Clarke in Blog, Micro Focus
Case Study: Netwealth bolster their security with Splunk

Case Study: Netwealth bolster their security with Splunk

Netwealth, an Australian superannuation and investment company, implemented Splunk as an SIEM-compliant monitoring tool to bolster their information security.

The project was certainly a success, and Splunk is working well in our environment. We see a number of opportunities to use Splunk in other use-cases across the business.

June 2017

The prompt and decision

"As a financial services organisation, information security and system availability are core to the success of our business. With the business growing, we needed a solution that was scalable and which allowed our team to focus on high-value management tasks rather than on data collection and review."

Information security is vital to modern organisations, and particularly for those that deal in sensitive data, such as Netwealth. It is essential to actively assess software applications for security weaknesses to prevent exploitation and access by third parties, who could otherwise extract confidential and proprietary information. Security monitoring looks for abnormal behaviours and trends that could indicate a security breach.

"The continued growth of the business and the increased sophistication of threats prompted us to look for a better way to bring together our security and IT operations information and events," explains Chris Foong, Technology Infrastructure Manager at Netwealth. "Advancements in the technology available in this space over the last few years meant that a number of attractive options were available."

The first stage in Netwealth’s project was to select the right tool for the job, with several options short-listed. Each of these options was pilot tested, to establish which was the best fit to the requirements—and Splunk, with its high versatility and ease of use, was the selected solution.

The power in the solution comes from Splunk’s ability to combine multiple real-time data flows with machine learning and analysis which prioritises threats and actions, and the use of dynamic visual correlations and on-demand custom queries to more easily triage threats. Together, this empowers IT to make informed decisions.

Objective

Netwealth’s business objective was to implement a security information and event management (‘SIEM’) compliant tool to enhance management of security vulnerabilities and reporting. Their existing tool no longer met the expanding needs of the business, and so they looked to Splunk and JDS to provide a solution.

Approach

Netwealth conducted a proof of concept with various tools, and Splunk was selected. JDS Australia, as Splunk Implementation Partner, provided licensing and expertise.

IT improvements

Implementing Splunk monitoring gave Netwealth enhanced visibility over their security environment, and the movement of sensitive data through the business. This enabled them to triage security events and vulnerabilities in real time.

About Netwealth

Founded in 1999, Netwealth was established to provide astute investors and wealth professionals with a better way to invest, protect and manage their current and future wealth. As a business, Netwealth seeks to enable, educate and inspire Australians to see wealth differently and to discover a brighter future.

Netwealth offers a range of innovative portfolio administration, superannuation, retirement, investment, and managed account solutions to investors and non-institutional intermediaries including financial advisers, private clients, and high net worth firms.

Industry

Financial Services

Primary applications

  • Office365
  • Fortigate
  • IIS
  • Juniper SRX
  • Microsoft DNS
  • Microsoft AD and ADFS (Active Directory Federation Services)
  • JBoss (Java EE Application Server)
  • Fortinet

Primary software

  • Splunk Enterprise
  • Splunk Enterprise Security (application add-on)

The process

Now that Splunk had been identified as the best tool for the job, it was time to find an Implementation Partner—and that’s where JDS came in. JDS, as the most-certified Australian Splunk partner, was the natural choice. "JDS provided Splunk licensing, expertise on integrating data sources, and knowledge transfer to our internal team," says Foong.  

An agile, project managed approach was taken.  

  1. Understand the business requirements and potential threats associated with Netwealth’s environment.
  2. Identify the various services that required security monitoring.
  3. Identify the data feed for those services.
  4. Deploy and configure core Splunk.
  5. Deploy the Enterprise Security application onto Splunk.
  6. Configure the Enterprise Security application to enable features. These features gave visibility into areas of particular concern.
JDS provided Splunk licensing, expertise on integrating data sources, and knowledge transfer to our internal team.
Chris FoongTechnology Infrastructure Manager

What is Splunk security monitoring/Splunk Enterprise Security?

Splunk Enterprise Security (‘ES’) is a security solution built on the powerful features of Splunk. It gives the ability to continuously monitor the security environment; optimise, centralise, and automate incident response using workflows and alerting; conduct rapid investigation of potential incidents; and trace activities associated with compromised systems, applying a ‘kill-chain’ methodology to see the attack lifecycle.

The JDS team worked well with our team, were knowledgeable about the product, and happy to share that knowledge with our team.
JDS are professional. They delivered what they said they would, and didn’t under- or over-sell themselves. They’ve provided ongoing support and advice beyond the end of the project. We would work with them again.

The JDS difference

For this project, JDS "assisted Netwealth in deploying and configuring Splunk, and gaining confidence in Splunk Enterprise Security," explains the JDS Consultant on the case. "We were engaged as a trusted partner with Splunk, and within hours of deployment, we had helped Netwealth to gain greater visibility of the environment."

JDS were able to leverage their Splunk expertise to give added value to the client, advising them on how to gain maximum value in terms of both project staging, and in the onboarding of new applications. "We advocated a services approach—start by designing the dashboard you want, and work backwards towards the data required to build that dashboard."

"The JDS team worked well with our team, were knowledgeable about the product, and happy to share that knowledge with our team," says Netwealth’s Chris Foong. "They delivered what they said they would, and didn’t under- or over-sell themselves. We would work with them again."

End results

Chris Foong says that Netwealth was looking for "improved visibility over security and IT operations information and events, to aid in faster response and recovery"—and the project was a success on all counts.

"The project was delivered on time and to budget, and Splunk is now capturing data from all the required sources," adds Foong. "We also identified a number of additional use cases, over and above the base Enterprise Security case, such as rapidly troubleshooting performance degradation."

Now that Netwealth has implemented Splunk, the software has further applicability across the business. The next step is continuing to leverage Splunk, and JDS will be there to help.

Business Benefits

  • Gave Netwealth better visibility into the organisation’s security posture
  • Presents the opportunity for leveraging of Splunk in other areas of the business; for example, marketing
  • Allows Netwealth to have greater visibility into application and business statistics, with the potential to overlay machine learning and advanced statistical analysis of this business information
The project was certainly a success, and Splunk is working well in our environment.
Australia’s new mandatory security notifications

Australia’s new mandatory security notifications

The majority of Australian organisations will soon be required to report major data security breaches. But what does this mean, and how can businesses avoid associated risks?

Several years ago, JDS received a fax. This was unusual for two reasons: firstly, it was a fax in the 21st century; secondly, it was an authorisation for payment of 60 million dollars from a large market fund. The fax was from a broker, who was merely confirming 'our' bank account details before sending through the transfer—if JDS were in the business of heists, it would have been a matter of changing a digit or two, then faxing the form back for payment.

As you can tell by the fact JDS haven't converted downtown Melbourne into a tropical beach, no such skullduggery transpired: instead, JDS MD John Bearsley called the broker and explained that he might have the wrong fax number on file. The broker was a bit shocked, to say the least. But what about the client? Did they ever find out?

Under Australia's new mandatory data security notification laws, applicable from 22 February 2018, the broker would have been forced to notify the client and the Office of the Australian Information Commissioner (OAIC) of the information breach. This is because, through a simple mix-up, we gained access to personal and private information about the fax's intended recipient, and the breach could have had serious consequences. Under the new requirements, data security breaches are to be dealt with as follows:

  1. Contain the breach and assess
  2. Evaluate risks or individuals associated with the breach
  3. Consider whether there is need for notification
  4. Review and take action to prevent further breaches

The difference between this new schema and any internal risk or incident management procedure lies in the role of compulsory reporting. If there is real risk of serious harm, then the individuals involved, and potentially the police as well as the OAIC, must be notified. This notification is to include the scope of the breach, and information regarding containment of the breach and action taken to prevent further breaches.

So what construes 'serious harm'? This relates to the type of information, information sensitivity, whether the information is protected, if the information can be used in combination with other information to cause harm, the attributes of the person or body who now hold the information, and the nature of the harm. It ties into existing Australian privacy and information security legislation, and has particular relevance for organisations that hold databases of information, particularly personal or sensitive information, about their customers or users. Consider the following IT security-related disasters that have come to light, noting that a number are based in the US, where compulsory reporting is already in effect:

Bangladesh Bank

A group of internationally-based hackers attempted to steal nearly US$1 billion from Bangladesh Bank after identifying some security vulnerabilities. They compromised the bank’s network, and used the credentials they gained to authorise bank transfers to the tune of US$951 million. Similar attacks have been seen at the Banco del Austro in Ecuador (US$12 million stolen) and the Tien Phong Bank in Vietnam (unsuccessful).

Result

US$101 million of transfers were successfully completed by the thieves; US$63 million was never recovered.

Indiana University

The names, addresses, and Social Security Numbers of a large number of Indiana University students and graduates were stored on an unprotected site. The lack of protection meant that several data mining applications not just accessed, but downloaded all the data files.

Result

Students and credit reporting agencies had to be notified; ongoing risk for financial fraud and identity theft, and associated liability.

Anthem

Anthem suffered a cyber attack in late 2014, with information accessed potentially including names, home addresses, email addresses, employment information, birth dates, and income data. The FBI investigation found that the attacks were conducted by international parties who were curious about the American healthcare system. Almost all of Anthem’s product lines were impacted.

Result

Anthem had to pay US$115 million to settle a class action litigation suit as a result of the breach. They also provided up to four years of credit monitoring and identity protection services to affected customers.

Philippine Commission on Elections (COMELEC)

Weaknesses in COMELEC’s network and data security meant hackers were able to access the full database of all registered voters in the Philippines. The database contained personal details many of which were stored in plain text, and included fingerprints, passport numbers and expiry dates, and potentially voting behaviour.

Result

The data could be used for extortion, phishing, or blackmailing purposes, and related hacks may lead to election manipulation.

Tesco Bank

Tesco Bank had monitoring and security mechanisms in place. However, Tesco Bank data such as credit card verification had to be accessed by the parent company Tesco, which does not appear to have been as secure. Security is only as strong as the weakest link in the chain, and in this instance, money was stolen and customers defrauded.

Result

Customers defrauded to the tune of 2.5 million pounds. The bank had to pay associated costs, and manage associated brand damage.

Yahoo

Yahoo’s security was breached twice, in 2014 (500 million accounts stolen by a state-sponsored actor) and 2013 (one billion accounts). Information included user names, telephone numbers, birth dates, and encrypted passwords.

Result

Yahoo’s sale price to Verizon was reduced by some US$350 million as a result of the hacks.

The above breaches cover a wide scope of industries—from health to insurance, government, and education. They have led to wide-ranging financial and reputational damage.

It would be naive to think that similar data breaches don't take place in Australia, though at the moment, it is not compulsory to report them. In 2015–2016, 107 organisations voluntarily notified the OAIC of breaches, and we are likely to see a rise in this number once the new legislation kicks in.

What does this mean for your organisation?

If your organisation deals with sensitive or personal information, including data such as emails, passwords, addresses, birth dates, health records, education records, passport numbers, ID numbers, travel information etc., then you need to prepare for the upcoming legislation. Part of this will be ensuring you have the correct policies, procedures, and training in place—and the other part will be making sure your environment is protected. The security of your IT infrastructure has always been, and will continue to be, vital: but now, there is an increased risk to your organisation, financially and particularly reputationally, if you do not ensure your environment is as secure as possible before mandatory reporting comes in. Test and assess your infrastructure and applications now, rather than down the line following a reportable incident.  

For advice or to book an assessment, call our friendly JDS consultants today.

 

Posted by JDS Admin in News, Secure
Security testing—the JDS approach

Security testing—the JDS approach

Reduce risk to your business critical applications by rigorously identifying and resolving application security flaws and vulnerabilities.

What is security testing?

Security testing, also known as penetration or vulnerability testing, actively assesses software applications for security weaknesses.  Such weaknesses may exist within the application’s code, configuration, or design, and allow the application to be exploited in a manner that will allow third parties to extract confidential and proprietary information.  

Application security testing is vital to good security practice, as it allows businesses to take control of their risks by identifying and reducing security concerns.  It provides the confidence that your organisational data is safe, and that your clients are protected in turn.

How does it work?

JDS provides an application security testing service that assesses your application’s controls, provides recommendations to remediate identified issues, and removes factors that could aid an attack upon your business.   We provide security testing for applications and environments specialising in web, mobile, and cloud applications.

JDS provides our security testing clients with reports containing both technical definitions of the security issues located and, importantly, the high-level business context for the vulnerability.  This includes scenario modelling in easily digestible language, enabling your business to make appropriate and timely business decisions and reduce your organisational risk profile.

A rigorous approach

JDS adopts the Open Web Application Security Project (OWASP) methodology for application security testing. This ensures all web, mobile, and cloud applications undergo a comprehensive assessment.

All the findings and recommendations are made simple for organisations to digest and make informed decisions through the use of abuse cases, risk ratings, live exploit demonstrations, issue representation, and developer education.

Why JDS?

JDS has assisted many businesses with security analysis and allaying associated operational risks.  Applications have ranged from internally-accessed personnel databases through to externally-facing applications that drive ordering, customer engagement, and loyalty.

Ensured the application-level security of a major global beverage manufacturer’s customer portal, used to automate stock and purchase orders.

Has been engaged by one of the largest education institutions in Australia on more than 15 occasions to conduct security analyses, and completes an annual re-engagement across student-facing applications for a tertiary support organisation.

Conducts annual testing of a global health provider’s event management system, used to manage a globally-deployed competition and associated prizes.

Retained for successive ongoing engagements with a major power distributor. Engagements have ranged from ensuring the security of internet-accessible corporate SAP applications to their corporate website, Microsoft Sharepoint applications, and expense management systems.

Provide security testing services to a NSW higher education institution in relation to a model for climate change impact.